Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort log sending to Splunk

    Scheduled Pinned Locked Moved pfSense Packages
    2 Posts 1 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nojja
      last edited by

      Hello !

      I've just installed splunk on a debian host in my LAN and I just can't find how to, on my pfSense tell snort to send logs, alerts and all the usefull data to the splunk server.

      This debian server is already a nagios and syslog server.

      Any help ?

      (Sorry for my bad english, i'm french)

      1 Reply Last reply Reply Quote 0
      • N
        nojja
        last edited by

        Okay , found it !
        If it can help someone :
        The snort logs are included in the firewall logs so if you redirect your logs to a syslog server in >Status>System Logs>settings>remote server splunk will catch them.
        But you have to allow incoming logs from udp port 514 in splunk

        Now the question is .. how to correctly parse snort logs in splunk because the log format seems to have changed recently and I can't find any support on the net

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.